Commitment Monitoring in a Multiagent System
Paola Spoletini1 and Mario Verdicchio2
1
2
Politecnico di Milano [email protected]
Università di Bergamo [email protected]
Abstract. Agent Communication Languages (ACLs) play a fundamental role in open multiagent systems where message exchange is the main
if not the only way for agents to coordinate themselves. New proposals
about ACL semantics based on social commitments aim at countering the
shortcomings of the mainstream mental-state-based ones. The commitment solution does not come for free and calls for an adequate monitoring
system that checks whether commitments are fulfilled or not.
1
Introduction
Agent Communication Languages (ACLs) play a very significant role in the context of multiagent systems, especially open ones, in which every agent’s internal
architecture has been independently developed and so the only common ground
it can share with other agents in the system is a standard communication framework. The most important ACL proposal so far, FIPA ACL [9], has gone through
some changes, but since its first version it has provided language specifications
in terms of agents’ mental states. It has already been discussed elsewhere [6, 15]
how several issues rise from this approach. Let us just remind here that standards relying on a theory involving mental states compel agent programmers
to create software with a specific architecture, implementing such theory and
thus enabling agents to communicate. In open multiagent systems, populated
by heterogeneous, independently developed agents, communication standards
should be specified so that agents’ internal architecture need not be taken into
account. The issues that probably hindered the universal success of mental statebased proposals, also triggered an alternative approach. Some researchers have
proposed a semantic framework for an ACL based upon the concept of social
commitment [13, 5], in which a communicative act is viewed as an action performed by an agent to create or modify the commitments by which it is bound to
the others. Commitments, as opposed to mental states, are objective and public
and thus have the great advantage of not needing to be reconstructed and attributed to other agents by means of inference processes, and they can be stored
in public records for further reference.
2
The formal model
Commitments describe certain states of affairs at different instants, thus we need
some formal definitions dealing with time, events, and actions. We provide here
a restricted version of a temporal logic that has already been illustrated in [15].
In this previous work the temporal model was relying on a frame branching in
the future, because the aim was to deal with the truth conditions of future directed sentences without the need for departing from a classic two-valued logic.
Instead, we take a more operational approach, and only evaluate the truth value
of past and present directed portions of sentences, while keeping the future directed parts suspended for further consideration. Moreover, since in this work we
propose a technique for monitoring, that is, checking temporal and atemporal
properties of a multiagent system at runtime, we only need to focus on a single
run of the system. With such working hypotheses, a branching model of time is
superfluous, and we can simply make do with a linear one. Thus, our starting
point is LTL± , a temporal language close to LTL, a linear temporal logic including only future-directed temporal operators [8], to which we add past-directed
operators, which allow us to express some properties of computational systems
in a far more succinct way [12]. In LTL± , time is assumed to be discrete, with a
starting point but no ending point.
We rely on the classical LTL± semantic definitions, and take a model M as
comprised of a set of states S, an infinite sequence x of states (x(0), x(1), ... ∈ S),
and a function v that labels each state with the atomic formulae true at that
state [8]. Given a model M , an atomic formula φ holds at a state x(t) if and only
if φ ∈ v(x(t)). The semantics of the following compound formulae is defined in
the usual way: ¬φ (not φ), φ ∧ ψ (φ and ψ), X+ φ (at the next state φ), X− φ
(at the previous state φ), φU+ ψ (φ until ψ), and φU− ψ (φ since ψ). We use the
usual derived logical connectives and temporal operators: φ ∨ ψ (φ or ψ), φ → ψ
(if φ then ψ), φ ↔ ψ (φ iff ψ), F+ φ (sometimes in the future φ), F− φ (sometimes
in the past φ), G+ φ (always in the future φ), G− φ (always in the past φ), φ
W+ ψ (φ weak until ψ, that is, φ is always true in the future or until ψ), φ W− ψ
(φ weak since ψ), φ Z+ ψ (φ until ψ and then no longer φ). This last operator
may need further elaboration, as to our knowledge it is not used elsewhere. It is
defined as follows,
φ Z+ ψ =def φ W+ ψ ∧ G+ (ψ→G+ ¬φ),
which holds iff ψ never becomes true and φ is always true, or eventually ψ
becomes true and from that moment on φ is no longer true.
In our view, events are reified, and each event token belongs to at least an
event type, and takes place at exactly one instant. An action is an event brought
about by an agent, called the actor of the action. We write Done(e, x, τ ) to
mean that event e of type τ is brought about by agent x. We use the “m-dash”
character as a shorthand for existential quantification. For instance:
Done(e, −, τ ) =def ∃xDone(e, x, τ ).
In our view, a commitment is a social state between agents comprised of four
components: an event e that has created the commitment, a debtor x which
is the agent who is committed, a creditor y which is the agent the debtor is
committed to, and a content u which represents the state of affairs the debtor
is committed to bring about, as in the following predicate:
Comm(e, x, y, u).
As we do not want to depart from first-order logic, the content is represented by
a term u, and we write ⌊u⌋ to refer to the relevant LTL± formula.
Intuitively, a commitment is fulfilled when its content is true, and is violated
when its content is false:
Fulf (e, x, y, u) =def Comm(e, x, y, u) ∧ ⌊u⌋,
V iol(e, x, y, u) =def Comm(e, x, y, u) ∧ ¬⌊u⌋.
Agents create and cancel commitments by performing suitable tokens of commitment manipulation action types, like make commitment (mc) and cancel commitment (cc). The reader may refer to [15] for further details about commitment
manipulation. The effects of the performance of a commitment manipulation action are illustrated in the form of axioms that reduce the number of allowable
models by limiting the interpretation of our primitive predicates. The scope of
the validity of formulae is then limited to the class of LTL± models that fulfill
the constraints imposed by such axioms. For instance, if an agent (not necessarily x or y) performs an action of making a commitment with x as debtor, y as
creditor, and u as content, then the relevant commitment holds until it is either
cancelled, or fulfilled, or violated, after which it no longer exists:
Done(e, −, mc(x, y, u)) →
Comm(e, x, y, u)Z+
(Done(−, −, cc(e, x, y, u))∨Fulf (e, x, y, u)
∨V iol(e, x, y, u)).
(MC)
We suppose that the multiagent system has been implemented in accordance
with the commitment-related axioms, while our aim is to check whether some
other properties, depending on actions performed by the agents, hold. Let us
take ϕ as an example of an LTL± formula which we want to monitor at runtime:
ϕ = G+ (Comm(−, −, −, u1 ) → u1 ), where ⌊u1 ⌋ = X+ (X+ A).
This formula will be taken as an example in the reminder of the paper.
3
The Monitoring System
We may assume that every agent in the system can monitor its properties thanks
to two specific functional components it is provided with: the Collector and the
Formula Analyzer.
The Collector collects information while conversations are carried out by the
agent with the others. The collected information consists of the atomic propositions contained in the monitored formula. We treat commitment predicates as
atomic propositions, by introducing an atom for each different commitment. We
deal with primitive predicates in the same way, and treat the derivated predicates
as compounds of the atoms corresponding to their primitive components. Thus,
in our example ϕ, the collected atomic propositions are comm u1 and A. The
collected atoms are time-stamped using the system’s clock, which every agent is
assumed to have access to. The pool of collected data is potentially infinite in
size, but in the following we will show that the nature of LTL± can ensure that
a finite memory suffices.
The Formula Analyzer can monitor the truth value of any LTL± formula at
runtime, hence, it has to deal with all the temporal operators of this language,
including the future-tense ones. In the monitoring process, the evaluation of such
sentences depends step by step on the evolution of the multiagent system. When
monitoring ϕ, we want to focus only on those parts of the system that affect the
truth value of the atoms in ϕ. The Collector builds a sequence of atoms included
in ϕ which are increasingly time-stamped. The sequence begins with the truth
values of all the atoms in ϕ at the initial state. In the following, we call such a
sequence a word. Hence, if a formula that contains future operators needs to be
evaluated at present time, its truth value depends on the suffix of the word that
will be created at runtime from that moment on.
The communication mechanism between the Collector and the Formula Analyzer is based on a simple Publish and Subscribe paradigm [3]. The Formula
Analyzer can get the relevant data in two different ways. It can either ask the
Collector for the new truth value of an atom everytime it changes (change subscription), or ask also for a periodical truth value check (periodic subscription),
so that the Formula Analyzer is notified by the Collector everytime the truth
value of the monitored atom changes, or one period passes by. The type of subscription depends on the temporal operators the atoms are contained in. If the
atom appears only in an atemporal subformula or in an unbounded (i.e. U+ , U− ,
F+ , F− , G+ , G− , W+ , W− and Z+ ) temporal operator, the Formula Analyzer
makes a change subscription. If the atom is in a bounded operator (i.e. X+ ,
X− ), the subscription must be periodic. Notice that if an atom is contained in
more than a subformula and it calls for more than one type of subscription, the
periodic subscription overrides the change one.
PRESENT
0
1
2
3
4
5
6
7
seconds
Change in the value of A
Change in the value of comm_u1
Fig. 1. A possible evolution of the system with respect to formula ϕ. Initially A is true
and comm u1 is false.
Let us consider again formula ϕ. It contains the atomic proposition A and
the commitment associated with u1 , hence the Analyzer has to subscribe to A,
using a periodic subscription, since A is contained in the two nested bounded
operators X+ , and to comm u1 with a change subscription. Let us suppose the
monitored system evolves as in Figure 1 and consider instant 7 as present time (0
is when the relevant conversation started). We take the period to be one second
long and suppose that the sequence of states in our model is finely graned enough
to allow us to associate any event happening between two subsequent seconds to
a particular state. The atoms collected until the present instant, i.e. the prefix
of the analyzed word, are:
({A, comm u1 }, 0)(A, 1)(A, 2)(A, 2.4)(A, 3)(A, 4)(comm u1 , 4.3)(A, 5)(A, 5.7)(A.6)
and (A, 7) is the current letter of the word. The Collector composes the collected atoms with the latest truth values of all the other atoms included in the
monitored formula, as follows:
({A, comm u1 }, 1)({A, comm u1 }, 2)({A, comm u1 }, 2.4)({A, comm u1 }, 3)
({A, comm u1 }, 4)({comm u1 , A}, 4.3)({A, comm u1 }, 5)({A, comm u1 }, 5.7)
({A, comm u1 }, 6)
and ({A, comm u1 }, 7) is the current letter. For instance, the collected letter
(A, 1) becomes ({A, comm u1 }, 1), where comm u1 takes the same value it had
at 0, because no changes have been published in the meantime. The word so
far has been composed using the history of the changes of A and comm u1 and
the value of A at every second. The evolution of the system in the future with
respect to A and comm u1 is seen as the suffix of the word that will be built at
runtime while the system evolves.
In general, the Formula Analyzer deals with a set Φ of formulae. If |Φ| = n, it
launches n independent components that work in parallel, each one devoted to a
formula φi ∈ Φ. Every component is implemented as a finite state automaton Ai
that has to recognize if the input letter, i.e. the time-stamped atom provided by
the Collector, satisfies φi . The automaton Ai is built considering the nature of
the formula it represents. LTL± allows for both past and future modalities. Our
basic technique to deal with both is to consider the two modalities separately,
i.e. with no nesting between them. This does not impose any restriction on the
syntax of LTL± , because a well known theorem by Gabbay [10] states that it is
always possible to separate past-directed and future-directed subformulae with
a non-elementary blow up in the size of the initial formula. This complexity
may result in a significant impact on the monitoring system’s efficiency in worst
case scenarios, but it has to be noticed that logic formulae of some interest in a
multiagent system are generally already separated or have a rather small number
of nestings of past and future-directed operators.
Thus, we can suppose to work with separated formulae, i.e. boolean combinations of pure past-directed and pure future-directed formulae, and we deal
with them in two different ways.
For the future modalities we exploit the well-known correspondence between
LTL and alternating automata [4]. Alternating automata are a more compact
form of Büchi automata, i.e., non deterministic finite state automata over infinite
words [14]. An alternating automaton can be intuitively described as follows. In
a deterministic automaton, the transition function maps a hstate, input-symboli
pair to a single state, called the next-state. A configuration is a pair composed
of the current state and the yet unread input content. By reading the next input
symbol, the automaton can reach–in a single step–a new configuration. At the beginning, the automaton accepts an input x if the configuration reached from the
if(result(X −φ ) ∧ current_time-time(X −φ )>=1)
return true;
else
if(result(X −φ ) ∧ current_time-time(X −φ )<1)
return true;
else
return false;
(a)
(b)
if( in_atoms ⊆ φ∧ in_timestamp-activation_time<1)
partial_result(X +φ )=true;
if(in_atoms ⊆ ¬φ∧ in_timestamp-activation_time<1)
partial_result(X +φ )=false;
if(partial_result(X +φ) ∧ in_timestamp-activation_time>=1){
flag(X +φ )=false;
return true;
}
if(!partial_result(X +φ) ∧ in_timestamp-activation_time>=1){
flag(X +φ )=false;
return false;
}
(c)
(d)
Fig. 2. Pseudo-code for monitoring (a) X− φ, (b) ψ U− φ, (c) X+ φ, and (d) ψ U+ φ. In
the code in atoms ⊆ φ is true if the current atoms value makes φ true; if φ is an atom,
it is more correct to write in atoms ∋ φ. Variable activation time is a parameter that
stores the value of the clock when a process is activated, while time(X− φ) stores the
last time instant in which φ changed its value. Boolean variable partial result(X+ φ)
saves the latest value of φ, stored before the one time unit is passed from the activation
time, flag stores the status of the processes and result the present evaluation of past
operators.
initial state through x is acceptable. On the other hand, in a non-deterministic
automaton a hstate, input-symboli pair is mapped to a set of states, hence the
automaton may move, by reading the next input symbol, from a configuration
to a set of configurations. The traditional interpretation of non-determinism is
existential branching: an input x is accepted is there is at least a sequence of
acceptable configurations which is reachable from the initial state. Another interpretation of nondeterminism is universal branching: a non-final configuration is
acceptable if every configuration reachable in one step is acceptable. An alternating automaton provides both existential and universal branching. Its transition
function maps a hstate, input-symboli pair into a (positive) boolean combination of states. Quite naturally, ∧ is used to denote universality, while ∨ denotes
existentiality.
For the past we do not need nondeterminism, as when a past-directed formula
is evaluated at a certain state, the past is already set and the evaluation is
immediate. However, we still need an automaton on infinite words since we
intend to verify a past-directed formula in all time instants in the future, which
makes us interpret the past as an infinite set of prefixes. In [11], it is shown
that deterministic Büchi automata suffice for this purpose. The combination
of different subformulae is performed easily, since the boolean connectors, ∧
and ∨, naturally correspond to universal and existential branching, respectively,
and deterministic Büchi automata can be seen as alternating automata without
existential and universal branching.
A
A&&t<1
A&&t<1
!A&&t<1
!A&&t<1
!A&&!B
FALSE
B
t=0
t>=1
t>=1
FALSE
TRUE
(a)
TRUE
(b)
Fig. 3. Automata for the monitoring of (a) X+ A and (b) A U+ B. && and ! are equivalent to ∧ and ¬ respectively.
The overall formula representation in the Formula Analyzer is inspired by this
theoretical model, but with some limitations so to ensure that the alternating
automata come in a finite number of copies and that a finite memory suffices for
the Collector. The idea is that the automaton monitoring a formula is executed
by a process, and all processes are coordinated by the Formula Analyzer, which
receives the needed atoms from the Collector and passes them to the relevant
processes. Thus, a generic Analyzer that deals with N processes executes the
following loop:
while(true){
in_atoms=new atoms;
in_timestamp=new timestamp;
(...)Sends the new collected data to the process waiting for truth values;
for(int i=1; i<=N; i++)
if(!result(i))
break;
}
The variable in_atoms contains the latest value of all the atoms and in_timestamp
is the corresponding time-stamp. The atoms and timestamp functions collect the
latest atoms and time-stamp, respectively, from the Collector, while result(i)
is a function evaluating the truth value of the formula monitored by process i.
Notice that every time the automaton performs a universal branching, each new
copy of the automaton is executed by a new independent process. In Figure 3
we propose an algorithmic representation only for X+ , X− , U+ and U− , since
all the other temporal operators can be derived by them. Moreover Figure 3
represents the automata corresponding to X+ and U+ , while the automata for
X− and U− are not reported since they trivially evaluate the value of the formula
in a transition using the past values stored in the Collector, computed as in
Figure 3. Notice that the communication between the Analyzer and a process is
performed only when the process is active, i.e., when the corresponding formula
needs to be evaluated. The other operators can be trivially derived by these four,
however in the implementation of the monitoring system some optimizations in
the translation to automata are proposed to improve the overall performance.
Moreover, nested X+ (X− ) operators are dealt as new operators, in which, instead
of focusing on one time unit, we consider as many units as the number of nestings.
(a)
(b)
Fig. 4. Process for pre-computing the value of the past operators (a) X− φ and (b) ψ
U− φ.The variable previous stores the last value assumed by φ.
When the G+ and G− operators are externally applied to the overall formula,
they are not treated as temporal operators, but as universal quantifiers over time
instants that are dealt with by continuously checking the quantified formula.
Notice that time-stamps offer us the possibility of a future extension in which
metric temporal operators are introduced. Thus, since conversations are time
consuming, we can guarantee that once we have fixed a time granularity, the
number of data changes in a time unit is finite.
In an alternating automaton, every time a universal branch is taken multiple
copies of the automaton are created to visit all the paths, which could theoretically lead to an infinite set of automata. However, in our implementation, the
number of processes is always bounded by 1 for every operator.
In the example formula ϕ, we have a process that runs continuously to deal
with the external universal quantification and for every time unit it checks
whether comm u1 holds and if so, it launches a new process devoted to u1 ,
while it goes on checking for new instances of comm u1 . The process that deals
with u1 checks two nested X+ operators, hence it saves the present time-stamp
and waits for a change in the truth value of A. When this happens or the difference between the present time and the time-stamp becomes bigger than two
time units, the process evaluates the formula as false, otherwise as true. If this
last process evaluates the formula as false the overall value of the formula is false
and it is notified to the Formula Analyzer. The pseudo-code and the automaton
corresponding to the formula are represented in Figure 3.
comm_u1
TRUE
t>=2
&&
comm_u1; t=0
FALSE
u1 && t<2
t>=2
!u1 && t<2
u1 && t<2
!u1 && t<2
(a)
(b)
Fig. 5. Automaton (a) and correspondent processes (b) to monitor the example formula
ϕ. Process ϕ activates the process corresponding to X+ X+ setting its flag to true and
from that moment on the two processes communicate every time the Analyzer sends a
new letter to process ϕ until the flag of X+ X+ is set to false again.
4
Related and Future Work
The idea of having a separated module for system monitoring has already been
proposed in the Web Service literature [1, 2], which has inspired us for this work.
To our knowledge, our automata-based monitoring approach is rather new in
the context of multiagent systems, although some research about monitoring
agents’ social states has already been carried out. The most relevant related
work is Cranefield’s [7], in which hyMITL± , a rule language for specifying social
expectations, is presented and an algorithm for rule compliance monitoring is
outlined. hyMITL± relies on a branching model and is more expressive, which
makes the monitoring process more complex a task. The current status of our
work calls for a detailed comparison of the two approaches to establish the correct
balance between expressiveness and efficiency. In particular, we hope that our
automata-based operational approach will help tackle some of the technical issues
in hyMITL± related to the evaluation of the formulae’s truth value. Since our
approach is based on the evaluation of time-stamped words, it can be naturally
extended to deal with more complex metric operators and functions and work
with dense time models.
References
1. F. Barbon, P. Traverso, M. Pistore, and M. Trainotti. Run-Time Monitoring of
Instances and Classes of Web Service Compositions. In Proceedings of the IEEE
International Conference on Web Services (ICWS’06), pages 63–71, 2006.
2. L. Baresi and S. Guinea. Towards Dynamic Monitoring of WS-BPEL Processes.
In Proceedings of the International Conference on Service Oriented Computing
(ICSOC’05), pages 269–282, 2005.
3. A. Carzaniga, D. S. Rosenblum, and A. L. Wolf. Design and Evaluation of a
Wide-Area Event Notification Service. ACM Transactions on Computer Systems,
19(3):332–383, 2001.
4. A. K. Chandra, D. Kozen, and L. J. Stockmeyer. Alternation. Journal of the ACM,
28(1):114–133, 1981.
5. M. Colombetti. A Commitment–Based Approach to Agent Speech Acts and Conversations. In Agents 2000, pages 21–29, Barcelona, Spain, 2000.
6. M. Colombetti and M. Verdicchio. An Analysis of Agent Speech Acts as Institutional Actions. In C. Castelfranchi and W. Lewis Johnson, editors, Proceedings
of the 1st International Joint Conference on Autonomous Agents and Multiagent
Systems (AAMAS 02), pages 1157–1166. ACM Press, 2002.
7. S. Cranefield. A Rule Language for Modelling and Monitoring Social Expectations
in Multi-Agent Systems. In L. Pack Kaelbling and A. Saffiotti, editors, Proceedings of the Nineteenth International Joint Conference on Artificial Intelligence
(IJCAI’05), pages 1659–1660, 2005.
8. E. A. Emerson. Temporal and Modal Logic. In Handbook of Theoretical Computer
Science, volume B, pages 995–1072. MIT Press, Cambridge, MA, 1990.
9. FIPA. ACL Specifications. Specification, Foundation for Intelligent Physical
Agents, http://www.fipa.org/repository/aclspecs.html, 2002.
10. D. M. Gabbay. The Declarative Past and Imperative Future: Executable Temporal
Logic for Interactive Systems. In Temporal Logic in Specification, pages 409–448.
Springer, 1987.
11. M. Pradella, P. San Pietro, P. Spoletini, and A. Morzenti. Practical Model Checking of LTL with Past. In Proceedings of the 1st International Workshop on Automated Technology for Verification and Analysis (ATVA 2003), National Taiwan
University, 2003.
12. M. Reynolds. More Past Glories. In Proceedings of the Fifteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2000), pages 229–240. IEEE Comp.
Soc. Press, 2000.
13. M. P. Singh. Agent Communication Languages: Rethinking the principles. IEEE
Computer, 31:40–47, 1998.
14. W. Thomas. Automata on Infinite Objects. Handbook of Theoretical Computer
Science (vol. B): Formal Models and Semantics, pages 133–191, 1990.
15. M. Verdicchio and M. Colombetti. A Logical Model of Social Commitment for
Agent Communication. In F. Dignum, editor, Advances in Agent Communication,
volume 2922 of LNCS. Springer, 2004.